Posted by Taylor Armerding on September 3, 2018
“You can pay (a little) now or you can pay (a lot) later” is a very old line—a pitch for oil filters almost 40 years ago. Unfortunately, it remains relevant in cyber security, especially when it comes to ransomware. And especially when that ransomware is the potent, pernicious SamSam.
The “trade-off” is stark: You can pay a moderate amount up front to build rigorous security into your software and systems. Or you can risk spending vastly more—perhaps hundreds of times more—in damages from a catastrophic cyber attack.
Which is the case with Atlanta, now Exhibit A for megalosses from a SamSam ransomware attack. From an original demand of $51,000 in Bitcoin last March, the cost to the city’s taxpayers has spiraled to more than $17 million, according to the latest estimates.
Atlanta is not an outlier, of course. It is just one example in a long, depressing, and expensive list of SamSam ransomware victims.
But it has become one of the most costly, since attackers took down at least a third of the city’s 424 software programs, about 30% of which were considered “mission critical.”
Among other damage, residents couldn’t pay their bills for city services like water, the city couldn’t collect its parking fines, and the police department lost a mountain of criminal evidence, including its dashcam footage archive.
In April, city officials said the investigation and getting the systems back online had cost $2.7 million—more than 50 times the original ransom demand. In June, Reuters reported that Atlanta Information Management head Daphne Rackley requested another $9.5 million—putting the total at 250 times the hackers’ demand.
And by early August, a “confidential report” obtained by the Atlanta Constitution Journal and a local TV station estimated the total at $17 million—$6 million in existing contracts for security services and software upgrades and $11 million in associated potential costs, including new desktops, laptops, smartphones, and tablets. That, for those not doing the math, is 333 times the original ransom demand.
As noted earlier, Atlanta is no outlier. The U.K.-based cyber security firm Sophos issued a report last month titled SamSam: The (Almost) Six Million Dollar Ransomware, which found it had “affected far more victims than previously thought, and raised vastly more in ransom demands—almost $6 million,” or about six times more than the previous best estimate. The report estimated that there is a new SamSam ransomware attack each day.
Mark Stockley, writing on the Sophos blog Naked Security, noted, “Most ransomware is spread in large, noisy and untargeted spam campaigns sent to thousands, or even hundreds of thousands, of people … to raise money through large numbers of relatively small ransoms of perhaps a few hundred dollars each.
“SamSam is very different,” he wrote. “It’s used in targeted attacks by a skilled team or individual who breaks into a victim’s network, surveils it and then runs the [encryption] malware manually. The attacks are tailored to cause maximum damage and ransom demands are measured in the tens of thousands of dollars.”
But the report also concluded that while the attackers behind SamSam are continually making improvements, it is not that difficult to defend against it. Most cyberthreats can be thwarted with good security hygiene. In the case of SamSam ransomware, organizations need only implement security basics: Keep software updated. Use two-factor authentication. Force workers to use good passwords. Restrict administrative privileges of critical systems to as few accounts as possible. Conduct real-time network and event monitoring. And close possible loopholes, like RDP ports open to the outside world.
Oh yes, and have a disaster and recovery plan in place that includes keeping backups offline and off-site.
None of this, apparently, was true in Atlanta, where cyber security for the city was such a low priority that officials essentially ignored warnings of malware in its systems going back nine months earlier—to June 2017.
WSB-TV in Atlanta reported in late March that an email thread from the previous June documented warnings that a specific city server appeared to be infected with malware. Then, in February, an external monitoring service discovered that the same server contacted a blacklisted IP address associated with known ransomware attacks.
And while the city apparently worked to fix the security problem with that one server, it didn’t address the reality that it had been connected to the rest of the city systems.
Which led one official to tell the station, “We must invest in our infrastructure and remain vigilant in ensuring our security measures continue to match the threats facing us.”
That prompted this sardonic observation from Morgan Wright, former senior advisor in the U.S. State Department Antiterrorism Assistance Program, in a guest opinion column for The Hill:
“There’s never enough time and money to do it right. But when government screws up, there’s always time and taxpayer money to do it over, usually at a much higher cost. In the end, it’s the consumer and taxpayer footing the bill.”
The irony is that this will likely keep happening.
Indeed, besides the warnings about its compromised server, Atlanta (as well as every other city in the country) has had a string of warnings about ransomware. These have come from cyber security experts or in the form of attacks on other cities or major companies, including SamSam ransomware attacks but also many others.
Just a brief list includes cities in Colorado, Maryland, Alabama, Tennessee, North Carolina, and New Jersey.
Cesar Cerrudo, CTO at IOActive Labs, predicted three years ago in a white paper that municipalities that embraced the “smart city” concept while failing to be smart about securing their connected systems would be prime targets for ransomware.
Andrew Hay, co-founder and CTO of LEO Cyber Security, agrees that “without knowing their current architecture, staffing, existing capabilities, roadmap, or outstanding issues,” it’s impossible to say exactly what it would have cost for Atlanta to be proactive about security. But, he says, “I believe it would be nowhere near the price they ultimately had to pay.”
And he, like most experts, is dubious that the Atlanta attack will change things in any significant way, even though the numbers would help to “make the business case” for investing up front in cyber security.
“Other cities will take a ‘It didn’t/won’t/wouldn’t happen to us’ stance,” he said, “which is similar to the post-breach sentiment in a typical enterprise or specific industry.
“It’s far easier for outsiders to fold their arms and say ‘We’re fine,’ instead of looking inward to find a similar problem.”
Sammy Migues, senior member, technical, at Synopsys, said the simple reality is that there are not nearly enough people skilled in cyber security, management, and politics to handle the demands of hardening the defenses of a city’s connected systems.
“Think of how many cities there are, and how many skilled people we have,” he said. “It’s not that it can’t be done. But think of what we ask of all the CSOs in the public sector.
“They need technical skills to architect a security program. They need to be able to manage the people working for them. They need to be savvy enough not to get steamrollered by vendors. They need the money to pay for rollout and maintenance. And they need the soft skills to talk to executives like the mayor or city councillors.
“It’s probably unusual to find somebody really qualified in two or three of those areas.”
But if city officials were interested enough to ask him what to do:
“I’d tell them the same basics we’ve been saying for decades,” Migues said. “Know your assets, and be able to recover from total loss.”
But another reality, he said, is that even the best technological security barriers won’t stop ransomware: Even though SamSam ransomware is an exception, the primary path is through a user who clicks on an email.
Ultimately, Migues said, most cities should get out of the security business and hire experts to do it for them.
“Sometimes, at your house, you have to call a plumber,” he said. “Call Amazon and tell them, ‘I want everything in your cloud—with all incoming and outgoing stuff going through a security filter. Tell me how much it is.’”
Hay also said municipalities—or any large, complicated organizations—need expert involvement.
“I’d like to see a collection of cities get together and run intercity war room–style exercises to better identify their respective capabilities in the face of a similar incident,” he said. “They should also invite experts in the field to chime in on how they could increase their ability to weather various prevalent attack scenarios.”
As you might imagine, however, he’s not holding his breath for that to happen.
Get the latest Software Integrity news, thought leadership, and more.